Let cloud_admin do live migration

[yiheqilin]

edit keystone policy.json to show Admin/instances in horizon to cloud_admin edit nova policy.json to let cloud_admin trigger live migration

@Xiaohua-Shen Could you review this PR ?

[bbc-jenkins]

Can one of the admins verify this patch?

• \"ok to test\" to accept this pull request for testing
• \"test this please\" for a one time test run
• \"add to whitelist\" to add the author to the whitelist

[bbc-jenkins]

Can one of the admins verify this patch?

• \"ok to test\" to accept this pull request for testing
• \"test this please\" for a one time test run
• \"add to whitelist\" to add the author to the whitelist

[bbc-jenkins]

Can one of the admins verify this patch?

• \"ok to test\" to accept this pull request for testing
• \"test this please\" for a one time test run
• \"add to whitelist\" to add the author to the whitelist

[Xiaohua-Shen]

LGTM

[Xiaohua-Shen]

@lihkin213 the reason for admin_required_limit is: In horizon, live migration action is under menu of admin->instance->live migration action. and dashboard to show admin->instance need privilege of 'admin_required' (that's hardcoded in dashboard). Now cloud_admin has no privilege to show this panel.

So if we keep 'admin_required' unchanged and add 'cloud_admin' to this rule, then cloud_admin can see the panel , but also has all keystone related CRUD privilege.

What we tried to do is: let cloud_admin can see this panel: admin->instance->live migration action, and still has no other keystone privilege.

[lihkin213]

We should see if we can use horizon customization for this instead of modifying the policy file

[yiheqilin]

Base on previous reviews, edit nova policy only

[Xiaohua-Shen]

@lihkin213 verified on integration test env and it works.

[nirajdp76]

ok to test

[nirajdp76]

@lihkin213 can u provide your approval

[lihkin213]

retest

[lihkin213]

ok to test

[Xiaohua-Shen]

retest